Suppose Alice wants to send a file F to Bob, ensuring integrity and confidentiality. They share a symmetryc key $K_{ab}$ and use AES. No hash algorithm is available.

Alice sends to Bob: $Enc(K_{ab}, F)$

In this simple scheme, are integrity and confidentiality guaranteed?

My answer:

Confidentiality is guaranteed if we use CBC (cipher block chaining) for example. But this is obvious. If we use a symmetric encryption algorithm as AES we have to use CBC, CFB, OFB or whatever.. right? So this answer seems too simple.

I would say that a computer is not able to tell if the message has been tampered with. So i would use CBC along with a "weak" cryptographic checksum inside CBC. A longer non-cryptographic checksum is suspect and subtle attacks are known if CRC is short.

Use OCB (Offset Codebook Mode). This mode of operation get both encryption and integrity protection while making only a single cryptographic pass over the data.

Are these answers correct? Could you give some background why the are correct or not?

P.S.: I could get privacy of a message with CBC encryption and integrity with CBC residue as long as the two are computed with different keys, but this requires twice the cryptographic power of encryption alone.

$\begingroup$Confidentiality of CBC is not automatically guaranteed. Often padding oracles apply, and those do break CBC confidentiality.$\endgroup$
– Maarten Bodewes♦Aug 25 '15 at 8:29

$\begingroup$But is there any particular problem with the given protocol? Is the answer related to any particular use of a mode of operation?$\endgroup$
– LorisAug 26 '15 at 13:30

$\begingroup$Integrity is in no way guaranteed by your protocol, unless you are using an authenticated mode. In many non-authenticated modes, depending on the particular use-case, confidentiality might not even be guaranteed (e.g., CBC and padding oracles). So yes, there is a problem with the given protocol.$\endgroup$
– Stephen TousetAug 27 '15 at 23:30

$\begingroup$... and if you don't need a mode now, but in the "near" future, just wait for the outcomes of the CAESAR competition.$\endgroup$
– SEJPM♦Aug 24 '15 at 21:39

$\begingroup$This is too advanced for me. The answer should be simpler in my opinion. I don't know those libraries. The matter is, given that protocol, does it provide confidentiality and integrity? AES is a very strong algorithm and must be used along a mode of operation, like any other symmetric algorithm. Each mode of operation have its pro and cons (we did not choose a best one), so this the reason i'm confused. Integrity is ensured if we use a mode of operation along with a checksum.$\endgroup$
– LorisAug 26 '15 at 13:29

$\begingroup$@Loris: "Integrity is ensured if we use a mode of operation along with a checksum." No, it really isn't. This is why authenticated modes exist. If you need an easy library, just use libsodium for whatever language you are using and the crypto_secretbox functions. The defaults are secure and fast.$\endgroup$
– rmalayterAug 26 '15 at 21:42

$\begingroup$I don't need a library. I have to answer to that question :)$\endgroup$
– LorisAug 27 '15 at 9:24

$\begingroup$You clearly DO need a library to handle this for you. Do you know how to ensure all your functions run in constant time? Do you know how to ensure all memory allocations are securely overwritten?$\endgroup$
– rmalayterAug 28 '15 at 13:11